1512490 – Event log and engine spammed with 'User admin@internal-authz logged in/out' info messages

Bug 1512490 - Event log and engine spammed with 'User admin@internal-authz logged in/out' info messages

Summary: Event log and engine spammed with 'User admin@internal-authz logged in/out' i...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Providers
Sub Component:
Version:	5.9.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	GA
Target Release:	5.10.0
Assignee:	Boriso
QA Contact:	Ilanit Stein
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1520956 (view as bug list)
Depends On:	1468965
Blocks:	1520956
TreeView+	depends on / blocked

Reported:	2017-11-13 10:59 UTC by Juan Hernández
Modified:	2019-02-11 13:54 UTC (History)
CC List:	12 users (show)
Fixed In Version:	5.10.0.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1468965
Clones:	1520956 (view as bug list)
Environment:
Last Closed:	2019-02-11 13:54:26 UTC
Category:	Bug
Cloudforms Team:	RHEVM
Target Upstream Version:
Embargoed:
Flags:	istein: needinfo+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	80669	0	'None'	'MERGED'	'aaa: Event log and engine spammed with logout message'	2019-11-18 03:11:47 UTC

Description Juan Hernández 2017-11-13 10:59:04 UTC

+++ This bug was initially created as a clone of Bug #1468965 +++

Description of problem:
Event log and engine spammed with 'User admin@internal-authz logged in/out' info messages.

The event log ui and engine log are spammed with info event messages about user admin logged in and out every 20 to 50 minutes. 
The events are followed as 3 messages about user admin logged in then 3 messages  as user admin logged out.

The messages appears when no user admin was logged in the session.
Something triggers those messages info events, not sure what.

Version-Release number of selected component (if applicable):
4.1.4-0.2.el7

How reproducible:
100% on 4.1.4-0.2.el7

Steps to Reproduce:
1. Just log in the webadmin and check the log event ui or check for engine log

--- Additional comment from Michael Burman on 2017-07-10 02:09 EDT ---



--- Additional comment from Michael Burman on 2017-07-10 02:10:40 EDT ---

I see this behaviour on the latest master as well - 4.2.0-0.0.master.20170709165327.gitfd2334b.el7.centos

--- Additional comment from Michael Burman on 2017-07-10 03:46:20 EDT ---

Thinking about it, those rhv-m engines are running in CFME(5.8.1) as 'Infrastructure Providers', so maybe it now make sense from where all of those log in and out messages event are coming, the question is this is expected? 

Is something like that is expected - 
Jul 10, 2017, 8:23:09 AM User admin@internal-authz logged out.
Jul 10, 2017, 8:23:09 AM User admin@internal-authz logged out.
Jul 10, 2017, 8:23:08 AM User admin@internal-authz logged out.

Jul 10, 2017, 8:05:52 AM User admin@internal-authz logged out.
Jul 10, 2017, 8:05:52 AM User admin@internal-authz logged out.
Jul 10, 2017, 8:05:52 AM User admin@internal-authz logged out.

--- Additional comment from Oved Ourfali on 2017-07-10 03:51:45 EDT ---

As part of the provider work we do login/logout.
We do use the same session for some cases, but not for all of them.

Juan - I guess that is expected, but please take a look and let me know whether I'm wrong.

--- Additional comment from Michael Burman on 2017-07-10 04:12:05 EDT ---

(In reply to Oved Ourfali from comment #4)
> As part of the provider work we do login/logout.
> We do use the same session for some cases, but not for all of them.
> 
> Juan - I guess that is expected, but please take a look and let me know
> whether I'm wrong.

I guess as well, but i don't think that the same event should be printed 3 times for log in and 3 times for log out(it's confusing).

--- Additional comment from Juan Hernández on 2017-07-10 04:21:44 EDT ---

It is not the same event printed three times, but three different events. The reason is probably the CFME provider is logging in multiple times instead of reusing the authentication session.

Michael, can you please check the /var/log/httpd/ssl_access_log file corresponding to the time of those events? It should reflect the API activity, and will help us determine if those events are really triggered by CFME.

--- Additional comment from Michael Burman on 2017-07-10 04:29:35 EDT ---

Hi Juan,

10.35.17.178 is the CFME -

For example from the last minutes -

10.35.17.178 - - [10/Jul/2017:11:24:30 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86
10.35.17.178 - - [10/Jul/2017:11:24:45 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86
10.35.17.178 - - [10/Jul/2017:11:25:00 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86
10.35.17.178 

10.35.17.178 - - [10/Jul/2017:11:25:30 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86
10.35.17.178 - - [10/Jul/2017:11:25:45 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86
10.35.17.178 - - [10/Jul/2017:11:26:01 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86
10.35.17.178 - - [10/Jul/2017:11:26:16 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86

10.35.17.178 - - [10/Jul/2017:11:26:31 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86
10.35.17.178 - - [10/Jul/2017:11:26:46 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86
10.35.17.178 - - [10/Jul/2017:11:27:01 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86

10.35.17.178 - - [10/Jul/2017:11:27:16 +0300] "GET /ovirt-engine/api/events?from=34041 HTTP/1.1" 200 86

--- Additional comment from Michael Burman on 2017-07-10 04:30 EDT ---



--- Additional comment from Martin Perina on 2017-07-10 04:35:56 EDT ---

(In reply to Michael Burman from comment #5)
> (In reply to Oved Ourfali from comment #4)
> > As part of the provider work we do login/logout.
> > We do use the same session for some cases, but not for all of them.
> > 
> > Juan - I guess that is expected, but please take a look and let me know
> > whether I'm wrong.
> 
> I guess as well, but i don't think that the same event should be printed 3
> times for log in and 3 times for log out(it's confusing).

AFAIK we don't print the same message 3 times, so most probably it's 3 different sessions for the same user.

We show client IP or database session id inside Sessions tab in webadmin, so we could probably add more info about each logged-out session (maybe some unique session ID which could be visible in both webadmin and logs). Ravi, what do you think?

--- Additional comment from Juan Hernández on 2017-07-10 06:11:58 EDT ---

Looking at the logs I see that all the API access come from the same IP address, and the requests match what CFME does.

A normal installation of CFME creates three different workers to handle the integration with RHV:

* One worker that performs the inventory refresh.
* One worker that catches events.
* One worker that collects metrics.

In the CFME architecture each of these workers is a separate Ruby process.

The 'ovirt' Ruby gem that we currently use to talk to RHV stores in a global variable the authentication session id, and renews it when it expires in the RHV side. Processes don't share global variables. This means that each of the three workers will need to log-in to renew the session id when the session expires in the RHV side. That explains the three consecutive long-in events that you see.

So these events are normal, and not a regression, in my opinion.

If we want to avoid them we can devise a mechanism to share the session between the workers that need it. This could be achieved in the CFME side storing the session id in the database, or in memcached, instead of using global variables.

Alternatively we could consider a mechanism for the RHV administrator to mute events based on certain rules, for example to ignore the login/logout events coming from the CFME IP address.

(Note that when using version 4 of the API instead of version 3 the same will apply, but to the SSO token instead of to the session id.)

--- Additional comment from Martin Perina on 2017-07-10 06:23:40 EDT ---

Personally I don't think it's an issue for CFME to use 3 sessions per engine, so the only issue is that having 3 same logging messages is confusing. So let's add some differentiation to the logging message so admin will know that those were 3 different sessions.

Based on above removing regression keyword and targeting to 4.2 as it should be an easy fix

--- Additional comment from Pavel Novotny on 2017-10-30 11:42:58 EDT ---

Verified in
ovirt-engine-webadmin-portal-4.2.0-0.0.master.20171029154613.git19686f3.el7.centos.noarch
ovirt-engine-4.2.0-0.0.master.20171029154613.git19686f3.el7.centos.noarch

As per comment 11, the login/logout messages now contain the client IP and session ID:

  User admin@internal-authz connecting from '<IP>' using session '<SESSION_ID>' logged in.

  User admin@internal-authz connected from '<IP>' using session '<SESSION_ID>' logged out.

See attached screenshot for more details.

--- Additional comment from Pavel Novotny on 2017-10-30 11:44 EDT ---

Comment 2 Juan Hernández 2017-11-13 11:01:51 UTC

Apparently this log spamming is happening again, and it happens because the event catcher tries to determine the supported versions of the API periodically. It should do it only when the `api_version` attribute is empty, but the event catcher loads the provider object only once, when the provider is added, and at that point the `api_version` is attribute is empty.

Comment 3 Michael Burman 2017-11-13 12:01:05 UTC

(In reply to Juan Hernández from comment #2)
> Apparently this log spamming is happening again, and it happens because the
> event catcher tries to determine the supported versions of the API
> periodically. It should do it only when the `api_version` attribute is
> empty, but the event catcher loads the provider object only once, when the
> provider is added, and at that point the `api_version` is attribute is empty.

Juan, 
I have run the test you asked, i have restarted the evmserverd service, but the audit messages still generated and the rehvm.log got spammed right away, with those endless audit messages:

[----] I, [2017-11-13T06:53:23.569550 #39238:873138]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/'.
[----] I, [2017-11-13T06:53:23.707509 #39238:873138]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/'.
[----] I, [2017-11-13T06:53:24.036834 #39238:873138]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/openstacknetworkproviders'.
[----] I, [2017-11-13T06:53:24.146067 #39238:873138]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/openstacknetworkproviders'.
[----] I, [2017-11-13T06:53:28.103394 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414162'.
[----] I, [2017-11-13T06:53:28.209909 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:53:43.219501 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414162'.
[----] I, [2017-11-13T06:53:43.301535 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:53:58.314506 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414162'.
[----] I, [2017-11-13T06:53:58.394665 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:54:13.403048 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414162'.
[----] I, [2017-11-13T06:54:13.474375 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:54:28.485312 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:54:28.554783 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:54:43.562134 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:54:43.636257 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:54:58.642821 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:54:58.733890 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:55:13.740183 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:55:13.816600 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:55:28.824111 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:55:28.895160 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:55:43.903880 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:55:44.001251 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:55:59.008231 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:55:59.089133 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:56:14.095094 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:56:14.176443 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:56:29.182808 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:56:29.261729 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:56:44.268549 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:56:44.345485 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.
[----] I, [2017-11-13T06:56:59.353909 #39229:c56228]  INFO -- : Sending GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events?from=414163'.
[----] I, [2017-11-13T06:56:59.429257 #39229:c56228]  INFO -- : Received response code 200 for GET request to URL 'https://mburman-4-test-rpms.scl.lab.tlv.redhat.com/ovirt-engine/api/events'.

This is only after 3 minutes...

Comment 4 Juan Hernández 2017-11-13 12:18:11 UTC

The messages that you see in `rhevm.log` are expected, and they don't correspond to any audit log. We are not going to remove them.

The problem is with other request that you will see only in the RHV access log, there are requests for `/ovirt/engine/api` and `/api`, comming from the SDK probe. Those are the ones that we need to make sure don't happen, as are the ones that result in the messages in the RHV audit log. In my tests this happened when the provider was initially added, and disappeared when I restarted the ManageIQ server, because then it re-loaded the provider and then the `api_version` method returned a non-blank string. There may be other situations where it is blank as well, even restarting the server. Boris can you check that?

Michael, to get more information about those requests, and validate that they are comming from that probe, can you modify the `/etc/httpd/conf.d/ssl.conf` file on the RHV machine so that the last line contains this?

CustomLog logs/ovirt-requests-log "%t %h \"User-Agent: %{User-Agent}i\" \"Duration: %Dus\" \"%r\" %b"

Then restart the web server:

# systemctl restart httpd

You will see then in the `/var/log/ovirt-engine/ovirt-requests-log` lines where the user agent is `RubySDK` and other lines where the user agent is `RubyProbe`. The lines that contain `RubyProbe` are the ones that we want to avoid, as they are the ones that cause the login/logout event log messages.

Boris, would also be good to modify the call to the `Probe.probe` method so that it writes the requests to `rhevm.log`, which it doesn't now. Should be a matter of adding `log: $rhevm_log`.

Comment 5 Michael Burman 2017-11-13 12:29:06 UTC

Juan, 
I thought you wanted me to check the rhevm.log after the evmserverd restart, but now i understand that you wanted me to check the rhv engine it self, this is actually worked, after the cfme service restart, i don't see those requests any more in the engine. 

I do see now new messages starting to appear - 
ETL service sampling has encountered an error. Please consult the service log for more details.

Comment 6 Boriso 2017-11-28 15:06:31 UTC

https://github.com/ManageIQ/manageiq-providers-ovirt/pull/157

Comment 8 Ilanit Stein 2018-09-17 14:47:37 UTC

Hi Boris,

I checked RHV event messages on RHV-4.2.3, connected to CFME-5.10.0.15.

such messages repeat every 1 hour:


User admin@internal-authz connecting from '<CFME IP address>' using session 'RKNonBDZPv3p3OC4DFQONmZGONi9bbMRqY/klpm9JcD1YawxkazLzQ2sU5RTyqnRibAgNIAo6Tz/iXWxPMqVpQ==' logged in.

Is this expected behavior, after the fix?

Thanks.

Comment 9 Ilanit Stein 2018-10-02 14:13:31 UTC

After discussing it with Dev people, it seems that these are Authentication messages, that are normally appearing once in an hour.
This is a normal behavior, and not as the reported spam.
Therefore, moving the bug to Verified.

Comment 10 Ilanit Stein 2018-10-08 08:05:04 UTC

*** Bug 1520956 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.